Path Traversal Vulnerability in Email Parser Exposes File System to Malicious Attachments

A critical path traversal vulnerability has been identified in the `parse_body()` function of an email parsing library. The flaw allows a malicious actor to embed directory traversal sequences (e.g., `../../../etc/passwd`) within the `Content-Disposition` header of an email attachment. The parser accepts the raw, unsanitized filename from the email header and stores it directly in the `Attachment.file_name` field, creating a direct vector for exploitation.

The vulnerability resides in `email_profile/parser.py` (lines 196–213). When processing an email part flagged as an attachment, the code extracts the filename via `part.get_filename()` without any validation. This raw string is then passed to `_decode_header()` and stored in the `Attachment` object. Any downstream system component that uses this `file_name` field to construct a filesystem path for saving the attachment could be tricked into writing the file content outside the intended, secure directory, potentially into sensitive system locations.

This flaw represents a significant security risk for any application relying on this parser to handle email attachments. The lack of input sanitization at the point of ingestion means the threat is present from the moment an email is processed. Systems that automatically save attachments based on the provided filename are immediately vulnerable to arbitrary file write attacks, which could lead to data corruption, privilege escalation, or serve as a precursor to a full system compromise. The vulnerability is passive until triggered by a malicious email, making detection difficult without proactive code review or security scanning.